- Move range transitions to modules.

- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
This commit is contained in:
Chris PeBenito 2006-10-04 17:25:34 +00:00
parent 00219064d7
commit e070dd2df0
47 changed files with 473 additions and 316 deletions

View File

@ -1,3 +1,6 @@
- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
categories configurable as build options.
- Add role infrastructure.
- Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch().

View File

@ -208,11 +208,16 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256
MCS_CATS ?= 256
ifeq ($(QUIET),y)
verbose = @
endif
M4PARAM += -D hide_broken_symptoms
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
# we need exuberant ctags; unfortunately it is named
# differently on different distros
@ -454,7 +459,15 @@ $(userpath)/local.users: config/local.users
########################################
#
# Appconfig files
# Build Appconfig files
#
$(tmpdir)/initrc_context: $(appconf)/initrc_context
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
########################################
#
# Install Appconfig files
#
install-appconfig: $(appfiles)
@ -485,7 +498,7 @@ $(appdir)/userhelper_context: $(appconf)/userhelper_context
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
$(appdir)/initrc_context: $(appconf)/initrc_context
$(appdir)/initrc_context: $(tmpdir)/initrc_context
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
@ -527,6 +540,9 @@ endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
$(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
########################################

View File

@ -88,15 +88,19 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
#
# Create a base module package
#
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers $(net_contexts)
@echo "Creating $(NAME) base module package"
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers -n $(net_contexts)
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
$(tmpdir)/seusers: $(seusers)
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
$(users_extra): $(m4support) $(user_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \

View File

@ -46,6 +46,20 @@ MONOLITHIC=y
# Enable polyinstantiated directory support.
POLY=n
# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
# with s0 being lowest.
MLS_SENS=16
# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS=256
# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS=256
# Set this to y to only display status messages
# during build.
QUIET=n

View File

@ -1,2 +1,2 @@
root:root:s0-s0:c0.c255
root:root:s0-mcs_systemhigh
__default__:user_u:s0

View File

@ -1 +1 @@
system_u:system_r:initrc_t:s0-s15:c0.c255
system_u:system_r:initrc_t:s0-mls_systemhigh

View File

@ -1,2 +1,2 @@
root:root:s0-s15:c0.c255
root:root:s0-mls_systemhigh
__default__:user_u:s0

View File

@ -1,2 +1,2 @@
root:root:s0-s0:c0.c255
root:root:s0-mcs_systemhigh
__default__:user_u:s0

View File

@ -1 +1 @@
user_u:system_r:initrc_t:s0-s15:c0.c255
user_u:system_r:initrc_t:s0-mls_systemhigh

View File

@ -1,2 +1,2 @@
root:root:s0-s15:c0.c255
root:root:s0-mls_systemhigh
__default__:user_u:s0

View File

@ -2,32 +2,23 @@ ifdef(`enable_mcs',`
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
# MCS is single-sensitivity.
#
sensitivity s0;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }
gen_sens(1)
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
# Generate declarations
# generate declarations for c0 to c255
gen_cats(256)
gen_cats(mcs_num_cats)
#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c255;
gen_levels(1,mcs_num_cats)
#
# Define the MCS policy

View File

@ -2,62 +2,26 @@ ifdef(`enable_mls',`
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
sensitivity s7;
sensitivity s8;
sensitivity s9;
sensitivity s10;
sensitivity s11;
sensitivity s12;
sensitivity s13;
sensitivity s14;
sensitivity s15;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
# Domination of sensitivities is in increasin
# numerical order, with s0 being the lowest
gen_sens(mls_num_sens)
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
# generate declarations for c0 to c255
gen_cats(256)
# Generate declarations
gen_cats(mls_num_cats)
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c255;
level s1:c0.c255;
level s2:c0.c255;
level s3:c0.c255;
level s4:c0.c255;
level s5:c0.c255;
level s6:c0.c255;
level s7:c0.c255;
level s8:c0.c255;
level s9:c0.c255;
level s10:c0.c255;
level s11:c0.c255;
level s12:c0.c255;
level s13:c0.c255;
level s14:c0.c255;
level s15:c0.c255;
# Generate levels from all sensitivities
# with all categories
gen_levels(mls_num_sens,mls_num_cats)
#
# Define the MLS policy

View File

@ -165,15 +165,15 @@ portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
network_node(site_local, s0, fec0::, ffc0::)
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
@ -186,10 +186,10 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
# netif_t is the default type of network interfaces.
#
type netif_t, netif_type;
sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo,s0 - s15:c0.c255)
network_interface(lo, lo,s0 - mls_systemhigh)
')
########################################

View File

@ -25,10 +25,10 @@
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
@ -37,11 +37,11 @@
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)

View File

@ -29,7 +29,7 @@ ifdef(`distro_suse',`
/boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
@ -92,9 +92,9 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
#
@ -112,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
#
# /lost+found
#
/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/lost\+found/.* <<none>>
#
@ -176,11 +176,11 @@ HOME_ROOT/lost\+found/.* <<none>>
#
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>>
#
@ -200,12 +200,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <<none>>
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
@ -213,7 +213,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
#
@ -233,18 +233,18 @@ HOME_ROOT/lost\+found/.* <<none>>
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)

View File

@ -35,6 +35,45 @@ interface(`kernel_domtrans_to',`
allow $1 kernel_t:process sigchld;
')
########################################
## <summary>
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## The process type entered by kernel.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The executable type for the entrypoint.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`kernel_ranged_domtrans_to',`
gen_require(`
type kernel_t;
')
kernel_domtrans_to($1,$2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition kernel_t $2:process $3;
')
')
########################################
## <summary>
## Allows the kernel to mount filesystems on

View File

@ -39,7 +39,7 @@ type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
# DebugFS
@ -62,13 +62,13 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -136,18 +136,18 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
@ -155,7 +155,7 @@ sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
########################################
#

View File

@ -9,44 +9,3 @@ policy_module(mcs,1.0.4)
attribute mcskillall;
attribute mcsptraceall;
attribute mcssetcats;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
#
type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
type init_t;
type init_exec_t;
type initrc_t;
type initrc_exec_t;
type login_exec_t;
type sshd_exec_t;
type udev_exec_t;
type unconfined_t;
type xdm_exec_t;
ifdef(`enable_mcs',`
# The eventual plan is to have a range_transition to s0 for the daemon by
# default and have the daemons which need to run with all categories be
# exceptions. But while range_transitions have to be in the base module
# this is not possible.
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
# these might be targeted_policy only
range_transition unconfined_t initrc_exec_t s0;
')

View File

@ -49,24 +49,3 @@ attribute mlsrangetrans;
attribute mlsfduse;
attribute mlsfdshare;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
# Other types are declared in the mcs module.
#
type lvm_exec_t;
type run_init_t;
type setrans_exec_t;
ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
range_transition initrc_t setrans_exec_t s15:c0.c255;
range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
')

View File

@ -19,7 +19,7 @@ attribute selinux_unconfined_type;
type security_t;
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;

View File

@ -5,36 +5,36 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
ifdef(`distro_redhat', `
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
@ -42,25 +42,25 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)

View File

@ -18,7 +18,7 @@
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)

View File

@ -26,11 +26,7 @@ type cron_log_t;
logging_log_file(cron_log_t)
type crond_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type crond_exec_t;
')
init_daemon_domain(crond_t,crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
@ -67,6 +63,10 @@ ifdef(`targeted_policy',`
files_type(sysadm_cron_spool_t)
')
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
########################################
#
# Cron Local policy

View File

@ -14,11 +14,7 @@ type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type cupsd_exec_t;
')
init_daemon_domain(cupsd_t,cupsd_exec_t)
type cupsd_etc_t;
@ -68,6 +64,10 @@ files_config_file(ptal_etc_t)
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
########################################
#
# Cups local policy

View File

@ -20,11 +20,7 @@ role system_r types ssh_keygen_t;
type ssh_keysign_exec_t;
corecmd_executable_file(ssh_keysign_exec_t)
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type sshd_exec_t;
')
corecmd_executable_file(sshd_exec_t)
type sshd_key_t;
@ -36,6 +32,10 @@ ifdef(`targeted_policy',`
type sshd_var_run_t;
files_type(sshd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
',`
# Type for the ssh-agent executable.
type ssh_agent_exec_t;
@ -55,6 +55,10 @@ ifdef(`targeted_policy',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
init_daemon_domain(sshd_t,sshd_exec_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
# ')
type sshd_tmp_t;

View File

@ -26,11 +26,7 @@ fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
type xdm_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type xdm_exec_t;
')
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t,xdm_exec_t)
init_daemon_domain(xdm_t,xdm_exec_t)
@ -71,6 +67,11 @@ logging_log_file(xserver_log_t)
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
')
optional_policy(`
prelink_object_file(xkb_var_lib_t)
')

View File

@ -280,6 +280,43 @@ interface(`auth_domtrans_login_program',`
allow $2 $1:process sigchld;
')
########################################
## <summary>
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the login_program process.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range of the login program.
## </summary>
## </param>
#
interface(`auth_ranged_domtrans_login_program',`
gen_require(`
type login_exec_t;
')
auth_domtrans_login_program($1,$2)
ifdef(`enable_mcs',`
range_transition $1 login_exec_t:process $3;
')
ifdef(`enable_mls',`
range_transition $1 login_exec_t:process $3;
')
')
########################################
## <summary>
## Run unix_chkpwd to check a password.

View File

@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t;
files_type(chkpwd_exec_t)
corecmd_executable_file(chkpwd_exec_t)
type faillog_t;
logging_log_file(faillog_t)
@ -19,12 +19,8 @@ logging_log_file(faillog_t)
type lastlog_t;
logging_log_file(lastlog_t)
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type login_exec_t;
')
files_type(login_exec_t)
corecmd_executable_file(login_exec_t)
type pam_console_t;
type pam_console_exec_t;

View File

@ -6,11 +6,7 @@ policy_module(getty,1.1.4)
# Declarations
#
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type getty_t;
')
type getty_exec_t;
init_domain(getty_t,getty_exec_t)
domain_interactive_fd(getty_t)

View File

@ -42,6 +42,43 @@ interface(`init_domain',`
')
')
########################################
## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_domain',`
gen_require(`
type init_t;
')
init_domain($1,$2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
')
')
########################################
## <summary>
## Create a domain for long running processes
@ -127,6 +164,43 @@ interface(`init_daemon_domain',`
')
')
########################################
## <summary>
## Create a domain for long running processes
## (daemons) which can be started by init scripts.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
')
init_daemon_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
')
')
########################################
## <summary>
## Create a domain for short running processes
@ -170,6 +244,43 @@ interface(`init_system_domain',`
')
')
########################################
## <summary>
## Create a domain for short running processes
## which can be started by init scripts.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
')
init_system_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2 $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2 $3;
')
')
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
@ -483,10 +594,17 @@ interface(`init_domtrans_script',`
files_list_etc($1)
domain_auto_trans($1,initrc_exec_t,initrc_t)
allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld;
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
')
########################################

View File

@ -22,26 +22,12 @@ attribute daemon;
#
# init_t is the domain of the init process.
#
# real declaration moved to mls until
# range_transition works in loadable modules
# also remove the extra init_exec_t dependencies
# in init_t interfaces when the decl gets moved back here.
gen_require(`
type init_t;
')
domain_type(init_t)
role system_r types init_t;
#
# init_exec_t is the type of the init program.
#
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type init_exec_t;
')
kernel_domtrans_to(init_t,init_exec_t)
domain_type(init_t)
domain_entry_file(init_t,init_exec_t)
kernel_domtrans_to(init_t,init_exec_t)
role system_r types init_t;
#
# init_var_run_t is the type for /var/run/shutdown.pid.
@ -58,20 +44,11 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type initrc_t;
')
domain_type(initrc_t)
role system_r types initrc_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type initrc_exec_t;
')
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
type initrc_devpts_t;
term_pty(initrc_devpts_t)
@ -86,6 +63,10 @@ files_tmp_file(initrc_tmp_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
ifdef(`enable_mls',`
kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
')
########################################
#
# Init local policy

View File

@ -16,6 +16,10 @@ interface(`locallogin_domtrans',`
')
auth_domtrans_login_program($1,local_login_t)
ifdef(`enable_mcs',`
auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh)
')
')
########################################

View File

@ -1,7 +1,7 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
@ -24,11 +24,11 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)

View File

@ -21,11 +21,7 @@ files_security_file(auditd_log_t)
files_mountpoint(auditd_log_t)
type auditd_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type auditd_exec_t;
')
init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
@ -58,6 +54,10 @@ files_pid_file(syslogd_var_run_t)
type var_log_t;
logging_log_file(var_log_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
########################################
#
# Auditd local policy

View File

@ -14,11 +14,7 @@ type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
type lvm_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type lvm_exec_t;
')
init_system_domain(lvm_t,lvm_exec_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin

View File

@ -6,12 +6,12 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
#
# /root

View File

@ -94,11 +94,7 @@ role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
# real declaration moved to mls until
# range transitions work in modules
gen_require(`
type run_init_t;
')
type run_init_exec_t;
domain_type(run_init_t)
domain_entry_file(run_init_t,run_init_exec_t)

View File

@ -1,3 +1,3 @@
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)

View File

@ -7,17 +7,21 @@ policy_module(setrans,1.0.3)
#
type setrans_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type setrans_exec_t;
')
init_daemon_domain(setrans_t, setrans_exec_t)
type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t,s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t,mls_systemhigh)
')
########################################
#
# setrans local policy

View File

@ -6,13 +6,8 @@ policy_module(udev,1.3.6)
# Declarations
#
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type udev_exec_t;
')
type udev_t;
type udev_exec_t;
type udev_helper_exec_t;
kernel_domtrans_to(udev_t,udev_exec_t)
domain_obj_id_change_exemption(udev_t)
@ -34,6 +29,11 @@ files_type(udev_tbl_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh)
')
########################################
#
# Local policy

View File

@ -6,11 +6,7 @@ policy_module(unconfined,1.3.15)
# Declarations
#
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type unconfined_t;
')
type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t)

View File

@ -1,5 +1,5 @@
ifdef(`strict_policy',`
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)

View File

@ -15,6 +15,16 @@ define(`policy_module',`
require {
role system_r;
all_kernel_class_perms
ifdef(`enable_mcs',`
sensitivity s0;
category c0, c`'decr(mcs_num_cats);
')
ifdef(`enable_mls',`
sensitivity s0, s`'decr(mls_num_sens);
category c0, c`'decr(mls_num_cats);
')
}
')
')

View File

@ -76,16 +76,3 @@ define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
define(`gen_bool',`
bool $1 dflt_or_overr(`$1'_conf,$2);
')
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
define(`decl_cats',`dnl
category c$1;
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
')
define(`gen_cats',`decl_cats(0,decr($1))')

View File

@ -0,0 +1,57 @@
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
define(`decl_cats',`dnl
category c$1;
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
')
define(`gen_cats',`decl_cats(0,decr($1))')
########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
define(`decl_sens',`dnl
sensitivity s$1;
ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
')
define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
define(`gen_sens',`
# Each sensitivity has a name and zero or more aliases.
decl_sens(0,decr($1))
# Define the ordering of the sensitivity levels (least to greatest)
dominance { gen_dominance(0,decr($1)) }
')
########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
define(`decl_levels',`dnl
level s$1:c0.c$3;
ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
')
define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
########################################
#
# Basic level names for system low and high
#
define(`mls_systemlow',`s0')
define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
define(`mcs_systemlow',`s0')
define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')

View File

@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@ -26,11 +26,11 @@ gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
# permit any access to such users, then remove this entry.
#
ifdef(`targeted_policy',`
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
')
#
@ -41,11 +41,11 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
ifdef(`direct_sysadm_daemon',`
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
')

View File

@ -76,11 +76,16 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256
MCS_CATS ?= 256
ifeq ($(QUIET),y)
verbose := @
endif
M4PARAM += -D hide_broken_symptoms
M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)